diff --git a/README.md b/README.md index 854ee41..a2b5e8f 100644 --- a/README.md +++ b/README.md @@ -8,15 +8,6 @@ It sets up the following: - Consul, with TLS - Nomad, with TLS -The following scripts are available here: - -- `deploy_nixos`, the main script that updates the NixOS config -- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only) -- `deploy_pki`, a script that sets up all of the TLS secrets -- `upgrade_nixos`, a script to upgrade NixOS -- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat -- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS - ## Configuring the OS This repo contains a bunch of scripts to configure NixOS on all cluster nodes. @@ -27,12 +18,17 @@ Most scripts are invoked with the following syntax: - `./deploy_ ` to run the deployment script on all nodes of the cluster `` - `./deploy_ ...` to run the deployment script only on nodes `node1, node2, ...` of cluster ``. +All deployment scripts can use the following parameters passed as environment variables: + +- `SUDO_PASS`: optionnally, the password for `sudo` on cluster nodes. If not set, it will be asked at the begninning. +- `SSH_USER`: optionnally, the user to try to login using SSH. If not set, the username from your local machine will be used. ### Assumptions (how to setup your environment) - you have an SSH access to all of your cluster nodes (listed in `cluster//ssh_config`) -- your account is in group `wheel` and you know its password (you need it to become root using `sudo`) +- your account is in group `wheel` and you know its password (you need it to become root using `sudo`); + the password is the same on all cluster nodes (see below for password management tools) - you have a clone of the secrets repository in your `pass` password store, for instance at `~/.password-store/deuxfleurs` (scripts in this repo will read and write all secrets in `pass` under `deuxfleurs/cluster//`) @@ -109,7 +105,7 @@ Then, deploy the PKI on all nodes with: **When adding a node to the cluster:** just do `./deploy_pki ` -### Adding administrators +### Adding administrators and password management Adminstrators are defined in the `cluster.nix` file for each cluster (they could also be defined in the site-specific Nix files if necessary). This is where their public SSH keys for remote access are put.